Migrating AWS Organizations: How I Did It and Why
Pawel Zubkiewicz
Posted on November 24, 2024
Migrating AWS Organizations is a rarely discussed topic that quickly becomes an administrative and technical challenge when you need to change the management account. This is because AWS Organizations does not allow changing the organization root account once it has been set. As a result, it's necessary to create a new organization and manually migrate all member accounts to complete the migration.
In my case, apart from migrating AWS accounts to a new management account within a new organization, I also changed the authentication method. I moved from IAM users to AWS Identity Center, formerly known as SSO. In this article, I share my experiences during this process, the challenges I faced, and insights that might be helpful to others.
Why Did I Have to Migrate?
My AWS Organization is my personal setup, which I use for learning and small projects. I created my first AWS account back in 2016 with the intention of learning serverless. As my needs grew, I added more accounts and eventually formed an AWS Organization. Due to a lack of experience at the time, I used my first account as the management account. This account already hosted various resources, primarily serverless projects. Over time, I learned that this setup violated best practices and needed improvement, but I couldn't make changes without a major migration. For a long while, I operated like this—after all, it was my personal organization, and I didn't need to pass any audits. 😉
Then, AWS Identity Center (previously called SSO) came along, and I wanted to enable it. However, I didn't want to do it in my old, disorganized setup, as I knew it would only make it harder to align with AWS best practices in the future. So, I kept postponing it.
Things changed in 2024, with the arrival of AWS Q Developer Pro, which I wanted to enable to assist me in coding. It requires AWS Identity Center, which finally pushed me to act. I wanted to deploy it, but not in the messy old organization. I knew that enabling Identity Center in my current structure would further complicate aligning with best practices.
The third reason, based on some hints and speculation, was that old AWS accounts seem to differ from those created recently. While I don't know the specifics, it's generally better to have a newer account as the management account for the organization. I recall that when AWS finally enabled multiple hardware MFA keys for IAM users, my old AWS account from 2016 only gained this capability a few weeks after the announcement, and AWS Support cited its age as the reason for the delay.
How Did the Migration Go?
In my case, the migration focused solely on transferring member accounts to the new organization, without moving resources between accounts. Here are the main steps:
Setting Up the New Organization – I started by creating a new AWS Organization, setting up a fresh AWS account that would serve as the management account.
Migrating Member Accounts – Next came the most time-consuming part—migrating the member accounts. Each account needed to be detached from the old organization, which involved removing SCP policies that blocked the account from leaving. For accounts created directly within the old organization, I had to set a root password, enable MFA, and—most crucially—define a payment method. The last part was key, as with consolidated billing, the payment method is usually only configured on the management account.
Accepting the Invitation to the New Organization – After detaching an account from the old organization, it became independent. In the new organization, I sent an invitation to the account, which had to be accepted from the root account level. Only then would the account join the new organization.
Challenges I Faced
- Payment Issues – The main difficulty was setting up payment methods for accounts that had previously been created in the old organization without needing individual payment setups. I had to do this manually for each account.
- Lack of Automation – Another significant challenge was the lack of automation from AWS. The platform doesn't provide tools for automatically transferring entire or partial organizations, which meant I had to execute every step manually. Fortunately, in my case, this involved only seven accounts, so it was manageable within a reasonable timeframe.
- SCP and IAM Policies – I transferred the existing SCP policies via copy-paste (JSON definitions), and the IAM configurations on the accounts remained unchanged.
AWS Identity Center - A Fresh Start
Implementing AWS Identity Center in the new organization represented a major shift in my approach to access and security management. You can find more details in my previous article Simplified Configuration of SSO Profiles in AWS CLI Using SSO Sessions. Additionally, unlike in the old organization where resources were deployed directly on the management account, I decided to strictly adhere to AWS best practices and keep the management account empty.
Interestingly, AWS recommends configuring Identity Center on the management account, so it isn't entirely empty, but this is the only exception to the rule of not placing resources on the management account.
Recommendations
If you need help with setting up your AWS Organization or Identity Center, I recommend the excellent instructional videos by Łukasz Dorosz, which helped me get up to speed. In fact, if my memory serves me right, Łukasz was advising me to switch to Identity Center back in 2023. Thank you, Łukasz!
Summary
Migrating AWS Organizations is a complex task that may require many manual steps, but it is achievable with the right approach. In my case, creating a new organization and manually migrating accounts was the best solution, allowing me to organize resources and implement better security practices. Ultimately, it enabled me to use AWS Q Developer Pro.
For those considering a similar migration, the most important advice is to plan the process carefully and prepare all the necessary elements, especially payment setups and root account access for all AWS accounts being migrated. While the process is time-consuming, the benefits of a well-structured setup and increased security far outweigh the effort.
If you're just starting out with AWS Organizations, remember to create a fresh, dedicated management account without any resources. This will save you from the need for migration in the future and ensure you're aligned with AWS best practices from the start.
I hope my story will be helpful to those facing a similar challenge and that it will help you avoid my mistakes when creating your own AWS organization.
Posted on November 24, 2024
Join Our Newsletter. No Spam, Only the good stuff.
Sign up to receive the latest update from our blog.